According to the Two Factor Auth List, eBay does indeed support 2FA (at least on the US version). So, spurred on by this most excellent comment from a faithful Naked Security reader, off I went to research the steps.

Generally, the process for setting up 2FA nowadays is very straightforward. After all, companies that offer 2FA want to make it as easy as possible to entice folks like you and me to use them.

In the case of eBay, I spent over an hour trying to figure out how to enable 2FA on my account. It was mind-bogglingly disjointed and difficult.

I went down the proverbial rabbit hole just to try and find a clear, simple answer. After searching, all I found was:

A static telephone PIN for my eBay account

An option to enable 2FA via a key fob that I’d have to purchase

2FA for my linked PayPal account

I’ve retraced my steps in the post below for your edification.

Naked Security readers: If you are more eBay-fluent than I and find that I’ve missed an obvious, easier way to set up 2FA for eBay, please let me know and I will be very happy to correct this post.

The unnecessary saga of 2FA in eBay

No luck. But I noticed a field under “Personal Information” called “Telephone PIN” that seemed promising. The language seemed 2FA-esque.

First, I needed to add a mobile phone to my account, which was straightforward. But then I was asked to set a 6-digit phone PIN, which isn’t what we’re looking for.

I noticed that I wasn’t asked for my PIN upon login either, so it seems this is a confirmation step upon purchase.

While it’s better than nothing, since the PIN doesn’t change this is basically 1FA. Like your password, the PIN is something you know.

The PIN doesn’t offer a second factor of authentication, like something you own – like a cell phone or an Authenticator app that receives or generates a unique code.

To spare you the boring details, I clicked every subsection of the “My Account” area, examined the “Security Center” in the eBay footer and even did the thing I hate most – consulting the “Help” section – but I found nothing even remotely hinting at Security settings.

I resorted to a bit of Googling, and managed to find this page buried within eBay itself about the PayPal Security Key.

The page assures the reader that the Security Key works for both eBay and PayPal, but that it must be initialized separately on each site. Although, it doesn’t say how.

The Overview page reassured me that I could use an app to secure my eBay account, and sent me to a promotional page that also assured me it was specifically for eBay. Great!

With the authenticator app downloaded, I was hopeful that this was the solution I’ve been looking for. But I still couldn’t find a way to link my authenticator to my eBay account.

So I went back to the page I’d discovered earlier, clicked the “Order Security Key” option on the left, and was prompted to log in to my PayPal account.

Upon logging in, PayPal says it will text me a code to my cell phone. So far, so good.

PayPal sent me a code to my cell phone, which I then verified:

And then I was referred to my PayPal account. Did it work? And what happened to my eBay account? No notification that I could find confirming it either way.

Back to the drawing board and to the earlier page.

I now tried “Activate Security Key” instead and was prompted to log back in to my eBay account.

Upon doing so, I was greeted by this screen with the message, “To activate your Security Key for use on your eBay account, follow the steps below. If you wish to activate the Security Key for your PayPal account, you must go to the Paypal activation page.”

That’s a physical key fob, which I don’t have, though they were available for purchase ($30 USD) on the Symantec page.

Undeterred, I still tried inputting the serial number and code from my authenticator app, but it didn’t work.

Since I still couldn’t find a way to link the mobile authenticator app to my account, I’m guessing this means the only 2FA supported by eBay is via the physical key fob that you’d have to purchase.

(I haven’t purchased the key fob, so I can’t verify personally if it works. Given how buried the 2FA page is on the site, it’s possible I found an old page for a feature that’s no longer supported, but I hope this isn’t the case.)

Setting up 2FA on Paypal

I found a post that mentioned 2FA via Paypal, at least for the US version.

While EBay did own Paypal for a few years, they split in 2014.

Still, Paypal is a pretty integral part of eBay, so this seemed like a promising lead. At the very least, if 2FA is enabled for PayPal, it’s an added layer of security at the purchase step.

For PayPal US users, as soon as you log in, click “Profile” under “My Account” and select “My settings.” You’ll see an option for a “Security Key.” Hit “Update” to proceed.

Next, you’ll need to register your mobile phone to your PayPal account if you haven’t already. Do so, and hit “Agree and Register.”

Now PayPal will text you a 6-digit code to your registered mobile device. (I could not find an option here to register for with an authenticator app instead.)

Upon entering the code and hitting “Activate,” PayPal will confirm that you successfully enabled 2FA on your PayPal account.

It just shouldn’t be this hard

I do commend PayPal for offering 2FA. At the very least, a criminal trying to cause mischief by commandeering an eBay account would not be able to make purchases via PayPal without hitting the 2FA wall.

Though if you have a credit card linked to your eBay account, or don’t have a PayPal account at all, PayPal’s 2FA is out of the picture.

That said, hopefully eBay’s key fob 2FA works – if you can find it – but it should never be this difficult to set up 2FA.

I am hoping perhaps the lack of clarity around setting this up is only temporary, and hopefully the team at eBay is working on a better solution – preferably one that leverages a free authenticator app and/or SMS, instead of a purchase-only key fob.

If you are an eBay user who finds this process a bit lacking, I encourage you to send the team at eBay a note about making 2FA adoption easier overall.

1) Go to https://scgi.ebay.com/ws/eBayISAPI.dll?ActivateSecurityToken
2) Open your app, you will see your credential ID up top and current security code
3) Entery your credential id in [1] and your security code in [2]
4) Wait until your current security code dissapears and a new one appears
5) Enter your newly generated security code in [3]

Basically you need to enter your credential id, and two last security codes displayed by the app while you filling out the form.

I just started looking into 2FA for eBay because I’ve gotten locked out of my account a half dozen times in the past week. Ebay keeps telling me they suspected unauthorized access on my account and I have to reset my password. Hoping enabling 2FA puts an end to this.

It is possible to set up Google Authenticator (or Yubico Authenticator, if you have a Yubikey) as a VIP Key. It requires a bit of work, but there is a Python app which can do all the hard work for you and generate the codes you need. I have been using Yubico Authenticator successfully with Paypal for over a year. I had looked at linking it to Ebay too, but given up, for the same reasons as you.

Very interesting — and I’m glad it’s not just me either. But given that a lot of people use eBay every day, I’m really hoping someone will comment and let me know that I’ve missed a really obvious solution somewhere.

You would do it the same way as with a hard token, enter the Token ID (which is displayed in the App) and then validate a code or two. It’s been years since I’ve done it (they’ve had the token support for a long time) but it worked.

It is not just me, then!
It is possible to use Google Authenticator (or Yubico Authenticator if you have a Yubikey) as a VIP Access code generator. It requires a bit of work, but there is a Python app (https://github.com/cyrozap/python-vipaccess) that will do all the hard work for you and generate the codes (and a QR Code) for you to enter into Authenticator. I have been using Yubico Authenticator successfully with Paypal for a year.
I spent some time trying to link this to Ebay, but I have found no way of doing it. It appears that you cannot get a Paypal security key in the UK (you have to use your phone), so maybe the option isn’t available on UK Ebay accounts.

A great question – I did indeed call their support line and I couldn’t get a straight answer about it, my questions about 2fa were answered with something akin to “well, if something fishy is going on with your account, we’ll prompt you with security questions or lock the account completely.” I’m starting to think that eBay’s 2fa is completely unsupported at this point.

This is EXACTLY the kind of hassle I went through in a FUTILE effort to set up 2FA on my eBay account. At one point, it DID allow me to set up 2FA and then it just as inexplicably went away and to date has never returned. I am mystified.

Initially, I had almost as much difficulty setting up 2FA for my PayPal account, but that seems to have sorted itself out.

I tried the Symantec VIP app and I’m getting an “Internal Error” from eBay. There’s a chance now that PayPal has moved away from hard-tokens (and moved to SMS tokens), that eBay (which relied on PayPal for much of its tech direction) will have to stop supporting hard/soft tokens as well. I don’t much like SMS, because its not encrypted. And anyone who knows how to clone a phone can bypass it as security. But its better than nothing. Does PayPal permit using soft tokens (like VIP)? If so, I’d switch over to that. But I talked to their reps last year and they were moving away from all hard/soft tokens.

I used the Activate link today and the Symantec VIP app information. You enter the “Credential ID” as the “Serial Number” and then two sequential security codes (before the second one expires). I did this today on a bank account, PayPal, and eBay. Had to try twice on eBay, but presumably only because I typoed something the first time.

I think you should update this post to reflect the successful method of using the VIP Access application. That method does work, but you have to read all of the comments to figure it out. Also, the comments referring to Google Authenticator and Python make it look harder than it is. The VIP Access method is actually pretty easy.

It shouldn’t be necessary to use a particular proprietary app, especially one that isn’t in wide use. eBay and PayPal should generate a K Secret Key for any TOTP authenticator plus the QR code supported by Google Authenticator.
Meanwhile PayPal has a system problem that’s forced many users to disable 2FA, and makes security harder than it needs to be by forcing users to type in passwords rather than paste them in from password generators, thereby discouraging use of strong passwords.
Shame on them both.

Ebay’s security is lax but if there is a problem YOU will suffer the consequences,
The way to go is FIDO U2F. Tokens are cheap, some sell for less than USD 10 (HyperSecu, Happlink). There is nothing to retype – just a button to press. And the server-side software implementation is very simple.
Dropbox and Gmail have it and it works well.
PayPal SMS tokens are so lame.

The problem with FIDO U2F is that many users aren’t willing to buy and use security keys. That’s why TOTP software authentication (like Google Authenticator) is so important. But not Symantec VIP (used by eBay and PayPal), because it uses the same ID (serial) on all sites, so the compromise of any one site compromises them all. (What were they thinking?!)

The problem with FIDO U2F is that many users aren’t willing to buy and use security keys. That’s why TOTP software authentication (like Google Authenticator) is so important. But not Symantec VIP (used by eBay and PayPal), because it uses the same ID (serial) on all sites, so the compromise of any one site compromises them all. (What were they thinking?!)

Paypal seems to have disabled use of the VIP Access App.
The problem with the VIP Access app is that it needs to be reinstalled if you factory-reset the phone. And then you need deactivate the old key and activate a new one..
Since January, I have not been able to activate a new key on the Paypal site. It always reports a “communication error.”
It continues to work on eBay.

Pay pal finally cut the cord and doesn’t allow new 2 factor connections to be made to ebay. As of today however, the old RSA/Paypal type security keys are being converted to a phone based 2fa type. Neither Ebay and Pay pal support techs I spoke with were aware of the change or at least would not communicate that anything changed. Ebay sent an email today with a link to convert my older type 2FA to the phone / txt based token.

My ebay account got hacked, and since I made the mistake to link my Paypal account (wish I never did this convenience) they were able to make illegal purchase which I’m battling with my Bank to reverse (can take months even though item never shipped). Worse part is I’m now getting 3000+ spam emails a day the thiefs used to cover their track (hint: if you get suddenly spam flood, check your paypal or other financial accounts). SO MAD at ebay as they don’t provide 2FA (unlike google or paypal) which lead me to this article! since ebay can be linked to paypal it should be as safe and require at least an SMS token if you’re on a machine it doesn’t recognize… unless I’m mistaken all it takes is the fixed password to start a shopping spree on ebay. INCREDIBLY BAD! I was told thielf will then call the seller and change the shipping address to receive the goods. 2 weeks later and still getting spam flood on my gmail.. down to about 600 a day instead of few a week I used to get…. so fumming! DAM YOU EBAY

Two days ago, my Top rated seller account has been hacked. The issue has been fixed by eBay, and I have asked eBay to step up and give me a better protection.

Well, eBay did just that, but probably tougher than what I expected. Now I need to verify my devices by phone calling eBay and providing a verification code every time a change happens. The issue is: This verification method is very annoying. I need to re-verify every item my browser’s cookies get deleted or a change of IP address / location occurs. This is a bit too much!

Smart companies verify devices by recognizing the physical MAC address of these devices, so that we don’t need to do the verification more than once, unless we report a device as stolen or a new device is going to be used. Two steps authentication is also another solution. I don’t want to phone call eBay whenever I reset my browser’s setting on my iPhone for instance, or a PC or a tablet, as long as I am using the same devices.

2FA on Ebay for new accounts (or old accounts that never had 2FA setup before in the old days) is more like hidden-in-plain-sight as a 1FA texting of a one-time passcode. when you sign in on Ebay, instead of logging in as usual by typing in your email (or username) and password, click the link “Text a temporary password”, then you’ll get a prompt where you type in your email (or username), and then Ebay finds your corresponding cell number, and then you click to have Ebay send you a text. you get a text with a six-character alphanumeric passcode, you input that on Ebay and you’re in. this confusing 1FA texting is probably a security method in obfuscation to throw people off because you may end up thinking backwards and sideways to understand how this is laid out at first.

of course, you most likely have no hope if someone has both your email (or your username) and your real actual password. Ebay is most likely counting on people having secure passwords, because that is probably all you can count on most non-techie people (who never heard of 2FA) to do nowadays and going forward forever. hopefully Ebay has security measures in place to detect if any bad guys (who are not really you) are trying to get into your account. haha yeah wishful thinking. yeah, it is kinda hard to have any faith in the great Ebay gods in the Ebay cloud.

Looks like ebay has made it easier to use 2FA. However it seems limited to SMS messages. Go to Personal Information in My Account settings. Then at the very bottom there is an option to enable 2FA. Use your phone number and Voila!

Agreed. Ebay now supports SMS 2FA. That being said Tokens don’t look like they are supported. Go to Personal Information in My Account settings. Then there will be an option at the very bottom. All works now!